Jump to content

Fake Admin Login Page

Daniel

By Daniel
in Third Party Add-ons

 Share

Recommended Posts

  • Replies 107
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

  • 2 months later...
dkent Senior Member

dkent

Posted
Posted

Very good! I have been wanting something like this for a while now, however it will not 100% secure your WHMCS area from real hacking attempts. Most people who know about WHMCS will know how to get to your real admin login page.

 

If you get a static IP address from your ISP, place your static IP in the .htaccess file. This will then allow you and only you to be able to access your WHMCS admin area. Want other people to access it? Simply add more static IP's to the .htaccess file!

 

Easy ;)

 

The hacker won't even be able to view the page, but you can.

0
Link to comment
Share on other sites
arbet Junior Member

arbet

Posted
Posted
@dk, Thanks for the suggestion. However, that doesn't help much if you are dynamic, and access your site via additional methods such as 3G laptop and mobile phone

 

Signup for a dynamic dns service, allow only that hostname to access your site, and then every time you need to login to whmcs from a different place, just modify the IP pointing to that hostname.

0
Link to comment
Share on other sites
brianoz Senior Member

brianoz

Posted
Posted

@arbet: mate, I don't think that will work, have you tested it? I'm pretty sure apache does a reverse lookup on the incoming IP and looks that up, rather than a forward lookup.

 

@dk: on the contrary, if the admin page is changed there's no way to locate it, as it won't appear in google. If it's referenced in the client pages, maybe, but I don't think (don't know, but hope!) it's not in there.

0
Link to comment
Share on other sites
arbet Junior Member

arbet

Posted
Posted
@arbet: mate, I don't think that will work, have you tested it? I'm pretty sure apache does a reverse lookup on the incoming IP and looks that up, rather than a forward lookup.

 

I haven't tried it personally, but I used to work at a hosting company and we had that setup for people who had a dynamic IP.

 

Apache does a forward lookup and a reverse lookup, and then it allows access if both match. Thinking again, it was a windows platform, so I don't think apache was running, and reverse lookups might have been disabled.

0
Link to comment
Share on other sites
  • 2 months later...
bubbasheeko Senior Member

bubbasheeko

Posted
Posted

I saw a few pages back that it would be a good idea to add failed attempts to be blocked.

 

Why not take the rules from the original admin login page. Once the failed attempt limit has been reached, add the IP to a text file. That text file is then linked to .htaccess to be used to block these unwanted users. Somebody mentioned it before, but it appears in the forum nobody implemented it.

 

Add this to the .htaccess file.

RewriteEngine on

RewriteMap hosts-deny txt:/path/to/hosts.deny // TEXT FILE USED TO KEEP TRACK OF THE IP'S

RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND [OR]

RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND

RewriteRule ^/.* - [F]

 

Now of course it is important to make sure the 'lock out delay' is part of the fake login page (which I am not sure as I haven't tried it yet :P)

0
Link to comment
Share on other sites
  • 2 weeks later...
brianoz Senior Member

brianoz

Posted
Posted (edited)

@sgrayban: agreed, but I still think this has some value. It would be inadvisable to view this as a total security solution; rather, it's just one extra layer in your multi-layered security protection.

 

A good multi-layered security approach would include things such as mod_security + good ruleset, suPHP, and CSF; as well as keeping your control panel, OS and OS kernel up to date with patches. Changing SSH port and blocking port 25 outgoing ("SMTP tweak") will also help a lot.

Edited by brianoz
grammar improvement
0
Link to comment
Share on other sites
AndrewMKP Senior Member

AndrewMKP

Posted
Posted
And while you are wasting time on this addon lets teach everyone how to block brute force on ssh and/or change the port number then we can go after changing the FTP port as well...

 

In other words a server is as secure as the admin running it.

 

Your post/comment has no relevance to this thread. Don't post if you do not want to contribute to the 'contributions' section, this is not a bitch about server security section. :roll:

0
Link to comment
Share on other sites
Roger Senior Member

Roger

Posted
Posted

If you are using CSF on your server. It will take care of port scans, failed authentications, auto blocking based on your parameters. CSF and something as simple as changing your SSH port to something non-standard will make a significant contribution to securing your server. Just changing the SSH port will probably surprise you on the server load reduction and how much your logs shrink.

 

Adding a fake admin page to me is just running a honey pot on my server.

0
Link to comment
Share on other sites
  • 10 months later...
  • 2 weeks later...
VinceC Junior Member

VinceC

Posted
Posted

What is a domain alias and where do I find the section you're referring to?

 

I've done a search for it and can't find it anywhere. :roll:

 

in dologin.php

 

find

 

<p style=\"font:11pt arial\" align=center>We have been notified of your hacking attempt!<i>Thank you</i></p><br>
	</body></html>"); exit(0);

 

Replace with..

 

<p style=\"font:11pt arial\" align=center>We have been notified of your hacking attempt!<i>Thank you</i><br>
	Your IP Address has been logged as $ip </p>
	</body></html>"); exit(0);

0
Link to comment
Share on other sites
  • 6 months later...
BenHarris Member

BenHarris

Posted
Posted

Sorry for digging up an old thread. I had a spare half an hour and put together a new version with quite a few new features. It needs more work, but it's getting there.

 

I agree with Dan. If you make the date and time dynamic, we have a winner. Code looks great too. :-)

 

Once the dynamic date/time works, we'll be ready for phase II....

 

  • When the login fails, add "?func=incorrect" to the end of the url.
  • Make the Forgotten your password link "work" - send a hack attempt email that lists the email address used.
  • When we try to access any page in the fake admin folder without logging in, automatically redirect us back to the login page. (To see what I mean, try going to [real] /admin/addonmodules.php and to [fake] /admin/addonmodules.php.) I'm thinking a mod_rewrite rule can handle this part.

 

My new version mimics every function I've found so far.

 

Any plans to build the Forgotten password page?

 

Done in my new version.

 

I've submitted it to the community add-ons area, awaiting approval. More info and a download link on my blog: http://ben90.com/share/projects/WHMCS/Dummy-WHMCS-Admin

 

Leave comments here / my blog / pm etc..

 

Regards,

 

Ben

0
Link to comment
Share on other sites
PC-Mike Member

PC-Mike

Posted
Posted

Loving the idea of this little honey-pot trap! Great little bit of obscurity! Obscurity doesn't replace security by any stretch of the imagination, but anything that makes things a bit more tricky for the hacker, is worth doing! It also give us as the admin an idea of how many people are attempting hacks on our WHMCS install, and that in itself might be an eye opener!!! :shock:

 

just password protect the admin dir ;)

 

I sort of like the idea about password protecting the admin interface directory... but there is always a tradeoff with security and user friendliness.

 

I wondered, is it possible to find a compromise, where we password protect the genuine Admin folder, but also have an IP address based bypass. i.e. when I log in from my fixed IP, it lets me through without needing a password. If I try to log in from anywhere else, I need to enter the password to enter the genuine admin directory.

 

If that is possible, it would be awesome. Security without headaches for everyday access. But still have ability to access from anywhere without needing to change settings... just need to type an extra password and I'm in! Unlike the straight IP allow method in .htaccess which blocks other addresses completely, or the straight passworded directory which need a password from everyone... this is a middle ground on security, flexibility and user friendliness combining the best of both methods!

 

I'd still use a honey-pot as my /admin folder (eg fake one) as described in this thread though too.

 

Mike

0
Link to comment
Share on other sites
BenHarris Member

BenHarris

Posted
Posted
I sort of like the idea about password protecting the admin interface directory... but there is always a tradeoff with security and user friendliness.

 

I wondered, is it possible to find a compromise, where we password protect the genuine Admin folder, but also have an IP address based bypass. i.e. when I log in from my fixed IP, it lets me through without needing a password. If I try to log in from anywhere else, I need to enter the password to enter the genuine admin directory.

 

Try something like this

 

Order deny,allow
Deny from all
AuthName "Auth Test"
AuthUserFile "/path/to/auth/file"
AuthType Basic
Require valid-user
Allow from 1.1.1.1 2.2.2.2 3.3.3.3 
Satisfy Any

 

Should do exactly what you are looking for. You obviously need to create an htaccess auth file either manually or through cPanel. Then just put the IP's you want to allow access to with out using a username/pass on the Allow from line (separated by spaces).

 

Regards

 

Ben

0
Link to comment
Share on other sites
PC-Mike Member

PC-Mike

Posted
Posted
Try something like this

 

Order deny,allow
Deny from all
AuthName "Auth Test"
AuthUserFile "/path/to/auth/file"
AuthType Basic
Require valid-user
Allow from 1.1.1.1 2.2.2.2 3.3.3.3 
Satisfy Any

 

Should do exactly what you are looking for. You obviously need to create an htaccess auth file either manually or through cPanel. Then just put the IP's you want to allow access to with out using a username/pass on the Allow from line (separated by spaces).

 

Regards

 

Ben

 

Excellent work!

 

Just trying this password/IP combo now. The only problem I have in testing it is that when I've already logged in with a password, I can see the contents of the folder no matter what else I tweak. Is there an easy way to "log off" again, so I can try to authenticate again, and prove if my IP address is allowing me in? How long does a session last?

 

Thanks again. I think if this works, then it'll be a great compromise for security and simplicity hand in hand!

 

Mike

0
Link to comment
Share on other sites
BenHarris Member

BenHarris

Posted
Posted
The only problem I have in testing it is that when I've already logged in with a password, I can see the contents of the folder no matter what else I tweak.

 

That's one of the joys of basic auth. To log out, you just need to specify some incorrect login credentials in the format http://fakeuser:fakepass@domain.tld/path/to/auth/dir/ - I believe a few browsers have started preventing this user/pass syntax, so make sure you're using a decent browser (aka not IE).

 

Regards

 

Ben

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept